pin-versions 0.0.0__tar.gz

pin_versions-0.0.0/.github/workflows/publish.yml

@@ -0,0 +1,26 @@
+name: Publish 
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  pypi:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          python-version: 3.14
+
+      - name: Build
+        run: uv build
+
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

pin_versions-0.0.0/.gitignore

@@ -0,0 +1,216 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#   Usually these files are written by a python script from a template
+#   before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+# Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+# uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+# poetry.lock
+# poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+# pdm.lock
+# pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+# pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# Redis
+*.rdb
+*.aof
+*.pid
+
+# RabbitMQ
+mnesia/
+rabbitmq/
+rabbitmq-data/
+
+# ActiveMQ
+activemq-data/
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#   JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#   be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#   and can be added to the global gitignore or merged into this file.  For a more nuclear
+#   option (not recommended) you can uncomment the following to ignore the entire idea folder.
+# .idea/
+
+# Abstra
+#   Abstra is an AI-powered process automation framework.
+#   Ignore directories containing user credentials, local state, and settings.
+#   Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#   Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#   that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#   and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#   you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/
+
+# Streamlit
+.streamlit/secrets.toml

pin_versions-0.0.0/.pre-commit-hooks.yaml

@@ -0,0 +1,7 @@
+- id: pin-versions
+  name: pin-versions
+  description: Check that all dependencies in pyproject.toml are pinned to a version
+  entry: uv run pin_versions.py --dry-run
+  language: system
+  files: pyproject\.toml$
+  pass_filenames: false

pin_versions-0.0.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License Copyright (c) 2026 Jay Miller
+
+Permission is hereby granted, free of
+charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use, copy, modify, merge,
+publish, distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice
+(including the next paragraph) shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF
+ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
+EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

pin_versions-0.0.0/PKG-INFO

@@ -0,0 +1,78 @@
+Metadata-Version: 2.4
+Name: pin-versions
+Version: 0.0.0
+Summary: Pin all dependencies in pyproject.toml to their currently installed versions
+Author: Jay Miller
+License-Expression: MIT
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: tomlkit
+Requires-Dist: click
+Requires-Dist: httpx
+Dynamic: license-file
+
+# pin-versions
+
+A CLI tool and pre-commit hook that pins all unpinned dependencies in `pyproject.toml` to their currently installed versions.
+
+## Installation
+
+```bash
+pip install pin-versions
+```
+
+Or with [uv](https://docs.astral.sh/uv/):
+
+```bash
+uv add pin-versions
+```
+
+## Usage
+
+Run in a project directory with a `pyproject.toml` and a virtual environment:
+
+```bash
+pin-versions
+```
+
+This pins dependencies in `[project].dependencies`, `[project.optional-dependencies]`, and `[dependency-groups]`.
+
+### Options
+
+| Flag | Description |
+|---|---|
+| `--operator`, `-o` | Version pin operator (default: `==`). Supports `>=`, `~=`, etc. |
+| `--pyproject`, `-p` | Path to `pyproject.toml` (default: `./pyproject.toml`) |
+| `--venv` | Path to the virtual environment (default: `.venv`) |
+| `--pin-latest` | Pin uninstalled packages to their latest version on PyPI |
+| `--dry-run` | Preview changes without modifying the file |
+
+### Pre-commit hook
+
+Add to your `.pre-commit-config.yaml`:
+
+```yaml
+repos:
+  - repo: https://github.com/kjaymiller/pin-versions
+    rev: v0.1.0
+    hooks:
+      - id: pin-versions
+```
+
+## Contributing
+
+1. Fork the repo and clone it locally.
+2. Create a virtual environment and install the project in editable mode:
+   ```bash
+   uv venv && uv pip install -e ".[dev]"
+   ```
+3. Create a branch for your changes:
+   ```bash
+   git checkout -b my-feature
+   ```
+4. Make your changes and ensure they work by running:
+   ```bash
+   pin-versions --dry-run
+   ```
+5. Open a pull request against `main`.

pin_versions-0.0.0/README.md

@@ -0,0 +1,64 @@
+# pin-versions
+
+A CLI tool and pre-commit hook that pins all unpinned dependencies in `pyproject.toml` to their currently installed versions.
+
+## Installation
+
+```bash
+pip install pin-versions
+```
+
+Or with [uv](https://docs.astral.sh/uv/):
+
+```bash
+uv add pin-versions
+```
+
+## Usage
+
+Run in a project directory with a `pyproject.toml` and a virtual environment:
+
+```bash
+pin-versions
+```
+
+This pins dependencies in `[project].dependencies`, `[project.optional-dependencies]`, and `[dependency-groups]`.
+
+### Options
+
+| Flag | Description |
+|---|---|
+| `--operator`, `-o` | Version pin operator (default: `==`). Supports `>=`, `~=`, etc. |
+| `--pyproject`, `-p` | Path to `pyproject.toml` (default: `./pyproject.toml`) |
+| `--venv` | Path to the virtual environment (default: `.venv`) |
+| `--pin-latest` | Pin uninstalled packages to their latest version on PyPI |
+| `--dry-run` | Preview changes without modifying the file |
+
+### Pre-commit hook
+
+Add to your `.pre-commit-config.yaml`:
+
+```yaml
+repos:
+  - repo: https://github.com/kjaymiller/pin-versions
+    rev: v0.1.0
+    hooks:
+      - id: pin-versions
+```
+
+## Contributing
+
+1. Fork the repo and clone it locally.
+2. Create a virtual environment and install the project in editable mode:
+   ```bash
+   uv venv && uv pip install -e ".[dev]"
+   ```
+3. Create a branch for your changes:
+   ```bash
+   git checkout -b my-feature
+   ```
+4. Make your changes and ensure they work by running:
+   ```bash
+   pin-versions --dry-run
+   ```
+5. Open a pull request against `main`.

pin_versions-0.0.0/pin_versions.egg-info/PKG-INFO

@@ -0,0 +1,78 @@
+Metadata-Version: 2.4
+Name: pin-versions
+Version: 0.0.0
+Summary: Pin all dependencies in pyproject.toml to their currently installed versions
+Author: Jay Miller
+License-Expression: MIT
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: tomlkit
+Requires-Dist: click
+Requires-Dist: httpx
+Dynamic: license-file
+
+# pin-versions
+
+A CLI tool and pre-commit hook that pins all unpinned dependencies in `pyproject.toml` to their currently installed versions.
+
+## Installation
+
+```bash
+pip install pin-versions
+```
+
+Or with [uv](https://docs.astral.sh/uv/):
+
+```bash
+uv add pin-versions
+```
+
+## Usage
+
+Run in a project directory with a `pyproject.toml` and a virtual environment:
+
+```bash
+pin-versions
+```
+
+This pins dependencies in `[project].dependencies`, `[project.optional-dependencies]`, and `[dependency-groups]`.
+
+### Options
+
+| Flag | Description |
+|---|---|
+| `--operator`, `-o` | Version pin operator (default: `==`). Supports `>=`, `~=`, etc. |
+| `--pyproject`, `-p` | Path to `pyproject.toml` (default: `./pyproject.toml`) |
+| `--venv` | Path to the virtual environment (default: `.venv`) |
+| `--pin-latest` | Pin uninstalled packages to their latest version on PyPI |
+| `--dry-run` | Preview changes without modifying the file |
+
+### Pre-commit hook
+
+Add to your `.pre-commit-config.yaml`:
+
+```yaml
+repos:
+  - repo: https://github.com/kjaymiller/pin-versions
+    rev: v0.1.0
+    hooks:
+      - id: pin-versions
+```
+
+## Contributing
+
+1. Fork the repo and clone it locally.
+2. Create a virtual environment and install the project in editable mode:
+   ```bash
+   uv venv && uv pip install -e ".[dev]"
+   ```
+3. Create a branch for your changes:
+   ```bash
+   git checkout -b my-feature
+   ```
+4. Make your changes and ensure they work by running:
+   ```bash
+   pin-versions --dry-run
+   ```
+5. Open a pull request against `main`.

pin_versions-0.0.0/pin_versions.egg-info/SOURCES.txt

@@ -0,0 +1,15 @@
+.gitignore
+.pre-commit-hooks.yaml
+LICENSE
+README.md
+pyproject.toml
+test.py
+uv.lock
+.github/workflows/publish.yml
+pin_versions.egg-info/PKG-INFO
+pin_versions.egg-info/SOURCES.txt
+pin_versions.egg-info/dependency_links.txt
+pin_versions.egg-info/entry_points.txt
+pin_versions.egg-info/requires.txt
+pin_versions.egg-info/top_level.txt
+pyncushion/pin_versions.py

pin_versions-0.0.0/pin_versions.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

pin_versions-0.0.0/pin_versions.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+pin-versions = pin_versions:main

pin_versions-0.0.0/pin_versions.egg-info/requires.txt

@@ -0,0 +1,3 @@
+tomlkit
+click
+httpx

pin_versions-0.0.0/pin_versions.egg-info/top_level.txt

@@ -0,0 +1 @@
+pyncushion

pin_versions-0.0.0/pyncushion/pin_versions.py

@@ -0,0 +1,166 @@
+"""Pin all dependencies in pyproject.toml to their currently installed versions.
+
+Usage:
+    uv run pin_versions.py [OPTIONS]
+"""
+
+# /// script
+# requires-python = ">=3.10"
+# dependencies = ["tomlkit", "click", "httpx"]
+# ///
+
+import asyncio
+import json
+import subprocess
+from pathlib import Path
+
+import click
+import httpx
+import tomlkit
+
+
+def get_installed_versions(venv: Path) -> dict[str, str]:
+    """Get a mapping of package name -> installed version."""
+    cmd = ["uv", "pip", "list", "--format=json"]
+    if venv.exists():
+        cmd += ["--python", str(venv / "bin" / "python")]
+    result = subprocess.run(cmd, capture_output=True, text=True, check=True)
+    packages = json.loads(result.stdout)
+    return {pkg["name"].lower(): pkg["version"] for pkg in packages}
+
+
+async def get_latest_version(client: httpx.AsyncClient, package_name: str) -> str:
+    """Get the latest version of a package from PyPI."""
+    response = await client.get(f"https://pypi.org/pypi/{package_name}/json")
+    response.raise_for_status()
+    return response.json()["info"]["version"]
+
+
+def extract_package_name(dep: str) -> str:
+    """Extract the package name from a dependency string."""
+    return dep.split("[")[0].split(">")[0].split("<")[0].split("=")[0].split("!")[0].split("~")[0].strip()
+
+
+def has_version_constraint(dep: str) -> bool:
+    """Check if a dependency string already has a version constraint."""
+    return any(op in dep for op in [">=", "<=", "==", "!=", "~=", ">"])
+
+
+async def resolve_missing_versions(
+    client: httpx.AsyncClient,
+    missing: list[str],
+) -> dict[str, str]:
+    """Fetch latest versions for all missing packages concurrently."""
+    tasks = {name: get_latest_version(client, name) for name in missing}
+    results = {}
+    for name, coro in tasks.items():
+        results[name] = await coro
+    return results
+
+
+def collect_unpinned_deps(data: dict) -> list[str]:
+    """Collect all unpinned dependency names that aren't in the installed versions."""
+    deps = []
+
+    if "project" in data:
+        if "dependencies" in data["project"]:
+            deps.extend(data["project"]["dependencies"])
+        if "optional-dependencies" in data["project"]:
+            for group_deps in data["project"]["optional-dependencies"].values():
+                deps.extend(group_deps)
+
+    if "dependency-groups" in data:
+        for group_deps in data["dependency-groups"].values():
+            deps.extend(group_deps)
+
+    return [
+        extract_package_name(dep).lower().replace("_", "-")
+        for dep in deps
+        if not has_version_constraint(dep)
+    ]
+
+
+def pin_dependency(dep: str, versions: dict[str, str], operator: str, failed: list[str]) -> str:
+    """Add version pin to a dependency string if it doesn't already have one."""
+    if has_version_constraint(dep):
+        return dep
+
+    name = extract_package_name(dep)
+    normalized = name.lower().replace("_", "-")
+
+    version = versions.get(normalized)
+    if version:
+        return f"{dep}{operator}{version}"
+
+    click.echo(f"  WARNING: no version found for '{name}', leaving unpinned")
+    failed.append(name)
+    return dep
+
+
+def pin_list(deps, versions: dict[str, str], operator: str, failed: list[str]) -> None:
+    """Pin all dependencies in a tomlkit array in place."""
+    for i, dep in enumerate(deps):
+        deps[i] = pin_dependency(dep, versions, operator, failed)
+
+
+async def async_main(operator: str, pyproject: str, venv: str, pin_latest: bool, dry_run: bool):
+    pyproject_path = Path(pyproject)
+    data = tomlkit.loads(pyproject_path.read_text())
+    versions = get_installed_versions(Path(venv))
+    failed: list[str] = []
+
+    if pin_latest:
+        unpinned = collect_unpinned_deps(data)
+        missing = [name for name in unpinned if name not in versions]
+        if missing:
+            click.echo(f"Looking up latest versions for {len(missing)} uninstalled packages...")
+            async with httpx.AsyncClient() as client:
+                latest = await resolve_missing_versions(client, missing)
+            versions.update(latest)
+
+    # Pin [project].dependencies
+    if "project" in data and "dependencies" in data["project"]:
+        click.echo("Pinning [project].dependencies:")
+        pin_list(data["project"]["dependencies"], versions, operator, failed)
+        for dep in data["project"]["dependencies"]:
+            click.echo(f"  {dep}")
+
+    # Pin [project.optional-dependencies]
+    if "project" in data and "optional-dependencies" in data["project"]:
+        for group, deps in data["project"]["optional-dependencies"].items():
+            click.echo(f"\nPinning [project.optional-dependencies].{group}:")
+            pin_list(deps, versions, operator, failed)
+            for dep in deps:
+                click.echo(f"  {dep}")
+
+    # Pin [dependency-groups]
+    if "dependency-groups" in data:
+        for group, deps in data["dependency-groups"].items():
+            click.echo(f"\nPinning [dependency-groups].{group}:")
+            pin_list(deps, versions, operator, failed)
+            for dep in deps:
+                click.echo(f"  {dep}")
+
+    if dry_run:
+        click.echo("\nDry run — no changes written.")
+    else:
+        pyproject_path.write_text(tomlkit.dumps(data))
+        click.echo(f"\nUpdated {pyproject_path}")
+
+    if failed:
+        raise SystemExit(1)
+
+
+@click.command()
+@click.option("--operator", "-o", default="==", help="Version pin operator (e.g. ==, >=, ~=)")
+@click.option("--pyproject", "-p", default="pyproject.toml", type=click.Path(exists=True), help="Path to pyproject.toml")
+@click.option("--venv", default=".venv", type=click.Path(), help="Path to the project virtualenv")
+@click.option("--pin-latest", is_flag=True, default=False, help="Pin uninstalled packages to their latest PyPI version")
+@click.option("--dry-run", is_flag=True, default=False, help="Show what would change without modifying pyproject.toml")
+def main(operator: str, pyproject: str, venv: str, pin_latest: bool, dry_run: bool):
+    """Pin all unpinned dependencies in pyproject.toml to their installed versions."""
+    asyncio.run(async_main(operator, pyproject, venv, pin_latest, dry_run))
+
+
+if __name__ == "__main__":
+    main()

pin_versions-0.0.0/pyproject.toml

@@ -0,0 +1,26 @@
+[build-system]
+requires = ["setuptools>=64", "setuptools-scm>=8"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "pin-versions"
+dynamic = ["version"]
+description = "Pin all dependencies in pyproject.toml to their currently installed versions"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.10"
+authors = [
+    {name = "Jay Miller"},
+]
+dependencies = [
+    "tomlkit",
+    "click",
+    "httpx",
+]
+
+[project.scripts]
+pin-versions = "pin_versions:main"
+
+[tool.setuptools-scm]
+local_scheme = "no-local-version"
+

pin_versions-0.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

pin_versions-0.0.0/test.py

@@ -0,0 +1,359 @@
+"""Tests for pin_versions — a tool that pins dependencies in pyproject.toml to installed versions.
+
+Tests cover parsing dependency strings, detecting version constraints,
+pinning individual and grouped dependencies, fetching versions from PyPI,
+and the end-to-end workflow via async_main.
+"""
+
+import json
+from pathlib import Path
+from unittest.mock import AsyncMock, patch
+
+import httpx
+import pytest
+import tomlkit
+
+from pin_versions import (
+    async_main,
+    collect_unpinned_deps,
+    extract_package_name,
+    get_installed_versions,
+    get_latest_version,
+    has_version_constraint,
+    pin_dependency,
+    pin_list,
+    resolve_missing_versions,
+)
+
+
+class TestExtractPackageName:
+    """Tests for extract_package_name(dep: str) -> str.
+
+    Given a dependency string that may contain extras (e.g. [argon2]) and/or
+    version specifiers (>=, ==, etc.), should return only the bare package name.
+    """
+
+    @pytest.mark.parametrize(
+        "dep, expected",
+        [
+            ("requests", "requests"),
+            ("requests>=2.0", "requests"),
+            ("requests==2.28.0", "requests"),
+            ("requests~=2.28", "requests"),
+            ("django[argon2]", "django"),
+            ("django[argon2]>=4.0", "django"),
+        ],
+    )
+    def test_extracts_name_from_various_formats(self, dep, expected):
+        """Should strip version specifiers and extras to return the bare name."""
+        assert extract_package_name(dep) == expected
+
+
+class TestHasVersionConstraint:
+    """Tests for has_version_constraint(dep: str) -> bool.
+
+    Returns True when the dependency string contains any version operator
+    (>=, ==, <=, !=, ~=, >), False otherwise. Extras like [argon2] alone
+    should not be treated as version constraints.
+    """
+
+    @pytest.mark.parametrize(
+        "dep, expected",
+        [
+            ("requests", False),
+            ("django[argon2]", False),
+            ("requests>=2.0", True),
+            ("requests==2.28.0", True),
+            ("requests!=2.0", True),
+            ("requests~=2.28", True),
+        ],
+    )
+    def test_detects_constraints(self, dep, expected):
+        """Should return True only when a version operator is present."""
+        assert has_version_constraint(dep) == expected
+
+
+class TestPinDependency:
+    """Tests for pin_dependency(dep, versions, operator, failed) -> str.
+
+    Given a dependency string, a {name: version} mapping, and an operator,
+    returns the dep string with the version appended. Skips already-pinned deps,
+    normalizes underscores to hyphens for lookup, and appends to the failed list
+    when no version is found.
+    """
+
+    def test_pins_with_installed_version(self):
+        """'requests' with versions={'requests': '2.28.0'} and operator '==' returns 'requests==2.28.0'."""
+        failed = []
+        assert pin_dependency("requests", {"requests": "2.28.0"}, "==", failed) == "requests==2.28.0"
+        assert failed == []
+
+    def test_preserves_extras(self):
+        """'django[argon2]' pins to 'django[argon2]==4.2.0', preserving the extras bracket."""
+        failed = []
+        assert pin_dependency("django[argon2]", {"django": "4.2.0"}, "==", failed) == "django[argon2]==4.2.0"
+
+    def test_skips_already_pinned(self):
+        """'requests>=2.0' is returned unchanged even when a newer version is available."""
+        failed = []
+        assert pin_dependency("requests>=2.0", {"requests": "2.28.0"}, "==", failed) == "requests>=2.0"
+
+    def test_records_missing_version(self):
+        """'unknown-pkg' with empty versions dict is left unpinned and added to the failed list."""
+        failed = []
+        assert pin_dependency("unknown-pkg", {}, "==", failed) == "unknown-pkg"
+        assert failed == ["unknown-pkg"]
+
+    def test_normalizes_underscores(self):
+        """'my_package' matches versions key 'my-package' via underscore-to-hyphen normalization."""
+        failed = []
+        assert pin_dependency("my_package", {"my-package": "1.0.0"}, "==", failed) == "my_package==1.0.0"
+
+
+class TestPinList:
+    """Tests for pin_list(deps, versions, operator, failed) -> None.
+
+    Mutates a tomlkit array in place, pinning bare deps and leaving
+    already-constrained deps unchanged.
+    """
+
+    def test_pins_unpinned_and_skips_pinned(self):
+        """Should pin bare deps and leave already-constrained deps unchanged."""
+        deps = tomlkit.array()
+        deps.append("requests")
+        deps.append("flask>=2.0")
+        failed = []
+        pin_list(deps, {"requests": "2.28.0"}, "==", failed)
+        assert deps[0] == "requests==2.28.0"
+        assert deps[1] == "flask>=2.0"
+
+
+class TestCollectUnpinnedDeps:
+    """Tests for collect_unpinned_deps(data: dict) -> list[str].
+
+    Scans project.dependencies, project.optional-dependencies, and
+    dependency-groups for entries without version constraints. Returns
+    normalized (lowercased, underscores replaced with hyphens) package names.
+    """
+
+    def test_from_all_sections(self):
+        """Should collect unpinned deps from dependencies, optional-dependencies, and dependency-groups."""
+        data = {
+            "project": {
+                "dependencies": ["requests", "flask>=2.0"],
+                "optional-dependencies": {"dev": ["pytest"]},
+            },
+            "dependency-groups": {"test": ["coverage>=7.0", "hypothesis"]},
+        }
+        result = collect_unpinned_deps(data)
+        assert set(result) == {"requests", "pytest", "hypothesis"}
+
+    def test_normalizes_names(self):
+        """Should normalize underscores to hyphens in collected names."""
+        data = {"project": {"dependencies": ["my_package"]}}
+        assert collect_unpinned_deps(data) == ["my-package"]
+
+    def test_empty_data(self):
+        """Should return an empty list when no dependency sections exist."""
+        assert collect_unpinned_deps({}) == []
+
+
+class TestGetInstalledVersions:
+    """Tests for get_installed_versions(venv: Path) -> dict[str, str].
+
+    Runs `uv pip list --format=json` and returns a {lowered_name: version} dict.
+    When the venv path exists, passes --python to target that interpreter.
+    """
+
+    def test_with_existing_venv(self, tmp_path):
+        """With a valid .venv dir, passes --python <venv>/bin/python and lowercases package names."""
+        venv = tmp_path / ".venv"
+        venv.mkdir()
+        (venv / "bin").mkdir()
+        (venv / "bin" / "python").touch()
+
+        pip_output = json.dumps([
+            {"name": "requests", "version": "2.28.0"},
+            {"name": "Flask", "version": "2.3.0"},
+        ])
+
+        with patch("pin_versions.subprocess.run") as mock_run:
+            mock_run.return_value.stdout = pip_output
+            result = get_installed_versions(venv)
+
+        assert result == {"requests": "2.28.0", "flask": "2.3.0"}
+        assert "--python" in mock_run.call_args[0][0]
+
+    def test_without_venv(self, tmp_path):
+        """With a nonexistent venv path, omits --python and uses the default interpreter."""
+        pip_output = json.dumps([{"name": "requests", "version": "2.28.0"}])
+
+        with patch("pin_versions.subprocess.run") as mock_run:
+            mock_run.return_value.stdout = pip_output
+            get_installed_versions(tmp_path / "nonexistent")
+
+        assert "--python" not in mock_run.call_args[0][0]
+
+
+class TestGetLatestVersion:
+    """Tests for get_latest_version(client, package_name) -> str | None.
+
+    Makes a GET to https://pypi.org/pypi/{name}/json. Returns the version
+    string on success (200) or raises httpx.HTTPStatusError on failure.
+    """
+
+    @pytest.mark.asyncio
+    async def test_success(self):
+        """PyPI returns 200 with {"info": {"version": "3.0.0"}} -> returns '3.0.0'."""
+        mock_response = httpx.Response(
+            200,
+            json={"info": {"version": "3.0.0"}},
+            request=httpx.Request("GET", "https://pypi.org/pypi/requests/json"),
+        )
+
+        client = AsyncMock(spec=httpx.AsyncClient)
+        client.get.return_value = mock_response
+
+        assert await get_latest_version(client, "requests") == "3.0.0"
+
+    @pytest.mark.asyncio
+    async def test_not_found(self):
+        """PyPI returns 404 for an unknown package -> raises httpx.HTTPStatusError."""
+        mock_response = httpx.Response(404, request=httpx.Request("GET", "https://pypi.org/pypi/nonexistent/json"))
+
+        client = AsyncMock(spec=httpx.AsyncClient)
+        client.get.return_value = mock_response
+
+        with pytest.raises(httpx.HTTPStatusError):
+            await get_latest_version(client, "nonexistent")
+
+
+class TestResolveMissingVersions:
+    """Tests for resolve_missing_versions(client, missing) -> dict[str, str].
+
+    Concurrently fetches latest versions for a list of package names.
+    Returns a dict of {name: version} on success; raises on any failed lookup.
+    """
+
+    @pytest.mark.asyncio
+    async def test_resolves_all_available(self):
+        """['requests', 'flask'] -> {'requests': '2.31.0', 'flask': '3.0.0'}."""
+
+        async def mock_get(url):
+            version = "2.31.0" if "requests" in url else "3.0.0"
+            return httpx.Response(
+                200,
+                json={"info": {"version": version}},
+                request=httpx.Request("GET", url),
+            )
+
+        client = AsyncMock(spec=httpx.AsyncClient)
+        client.get.side_effect = mock_get
+
+        result = await resolve_missing_versions(client, ["requests", "flask"])
+        assert result == {"requests": "2.31.0", "flask": "3.0.0"}
+
+    @pytest.mark.asyncio
+    async def test_raises_on_missing_package(self):
+        """A 404 from PyPI propagates as httpx.HTTPStatusError."""
+
+        async def mock_get(url):
+            return httpx.Response(404, request=httpx.Request("GET", url))
+
+        client = AsyncMock(spec=httpx.AsyncClient)
+        client.get.side_effect = mock_get
+
+        with pytest.raises(httpx.HTTPStatusError):
+            await resolve_missing_versions(client, ["nonexistent"])
+
+
+class TestAsyncMain:
+    """Integration tests for async_main(operator, pyproject, venv, pin_latest, dry_run).
+
+    Exercises the full workflow: reading pyproject.toml, resolving versions,
+    pinning across all dependency sections, and writing (or skipping) the result.
+    Uses a temp-dir pyproject.toml and mocked version lookups.
+    """
+
+    @pytest.fixture
+    def sample_pyproject(self, tmp_path):
+        """Create a sample pyproject.toml with unpinned and pinned deps."""
+        content = tomlkit.dumps({
+            "project": {
+                "dependencies": ["requests", "flask>=2.0"],
+                "optional-dependencies": {"dev": ["pytest"]},
+            },
+            "dependency-groups": {"test": ["coverage"]},
+        })
+        path = tmp_path / "pyproject.toml"
+        path.write_text(content)
+        return path
+
+    @pytest.fixture
+    def mock_versions(self):
+        """Version mapping for test packages."""
+        return {"requests": "2.28.0", "pytest": "7.4.0", "coverage": "7.3.0"}
+
+    @pytest.mark.asyncio
+    async def test_pins_all_sections(self, sample_pyproject, mock_versions, tmp_path):
+        """Writes pinned versions to all three sections; leaves already-constrained deps untouched."""
+        with patch("pin_versions.get_installed_versions", return_value=mock_versions):
+            await async_main("==", str(sample_pyproject), str(tmp_path / ".venv"), False, False)
+
+        data = tomlkit.loads(sample_pyproject.read_text())
+        assert data["project"]["dependencies"][0] == "requests==2.28.0"
+        assert data["project"]["dependencies"][1] == "flask>=2.0"
+        assert data["project"]["optional-dependencies"]["dev"][0] == "pytest==7.4.0"
+        assert data["dependency-groups"]["test"][0] == "coverage==7.3.0"
+
+    @pytest.mark.asyncio
+    async def test_dry_run_does_not_write(self, sample_pyproject, mock_versions, tmp_path):
+        """With dry_run=True, pyproject.toml content is identical before and after."""
+        original = sample_pyproject.read_text()
+
+        with patch("pin_versions.get_installed_versions", return_value=mock_versions):
+            await async_main("==", str(sample_pyproject), str(tmp_path / ".venv"), False, True)
+
+        assert sample_pyproject.read_text() == original
+
+    @pytest.mark.asyncio
+    async def test_custom_operator(self, sample_pyproject, mock_versions, tmp_path):
+        """With operator='>=' pins as 'requests>=2.28.0' instead of 'requests==2.28.0'."""
+        with patch("pin_versions.get_installed_versions", return_value=mock_versions):
+            await async_main(">=", str(sample_pyproject), str(tmp_path / ".venv"), False, False)
+
+        data = tomlkit.loads(sample_pyproject.read_text())
+        assert data["project"]["dependencies"][0] == "requests>=2.28.0"
+
+    @pytest.mark.asyncio
+    async def test_exits_on_missing_versions(self, sample_pyproject, tmp_path):
+        """With an empty versions dict, all deps fail to resolve and SystemExit(1) is raised."""
+        with patch("pin_versions.get_installed_versions", return_value={}):
+            with pytest.raises(SystemExit):
+                await async_main("==", str(sample_pyproject), str(tmp_path / ".venv"), False, False)
+
+    @pytest.mark.asyncio
+    async def test_pin_latest_fetches_from_pypi(self, sample_pyproject, tmp_path):
+        """With pin_latest=True, 'coverage' (not installed) is fetched from PyPI and pinned to '7.3.0'."""
+        installed = {"requests": "2.28.0", "pytest": "7.4.0"}
+
+        async def mock_get(url):
+            return httpx.Response(
+                200,
+                json={"info": {"version": "7.3.0"}},
+                request=httpx.Request("GET", url),
+            )
+
+        with (
+            patch("pin_versions.get_installed_versions", return_value=installed),
+            patch("httpx.AsyncClient") as MockClient,
+        ):
+            mock_client = AsyncMock()
+            mock_client.get.side_effect = mock_get
+            MockClient.return_value.__aenter__ = AsyncMock(return_value=mock_client)
+            MockClient.return_value.__aexit__ = AsyncMock(return_value=False)
+
+            await async_main("==", str(sample_pyproject), str(tmp_path / ".venv"), True, False)
+
+        data = tomlkit.loads(sample_pyproject.read_text())
+        assert data["dependency-groups"]["test"][0] == "coverage==7.3.0"

pin_versions-0.0.0/uv.lock

@@ -0,0 +1,139 @@
+version = 1
+revision = 3
+requires-python = ">=3.10"
+
+[[package]]
+name = "anyio"
+version = "4.12.1"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "exceptiongroup", marker = "python_full_version < '3.11'" },
+    { name = "idna" },
+    { name = "typing-extensions", marker = "python_full_version < '3.13'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/96/f0/5eb65b2bb0d09ac6776f2eb54adee6abe8228ea05b20a5ad0e4945de8aac/anyio-4.12.1.tar.gz", hash = "sha256:41cfcc3a4c85d3f05c932da7c26d0201ac36f72abd4435ba90d0464a3ffed703", size = 228685, upload-time = "2026-01-06T11:45:21.246Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/38/0e/27be9fdef66e72d64c0cdc3cc2823101b80585f8119b5c112c2e8f5f7dab/anyio-4.12.1-py3-none-any.whl", hash = "sha256:d405828884fc140aa80a3c667b8beed277f1dfedec42ba031bd6ac3db606ab6c", size = 113592, upload-time = "2026-01-06T11:45:19.497Z" },
+]
+
+[[package]]
+name = "certifi"
+version = "2026.2.25"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/af/2d/7bf41579a8986e348fa033a31cdd0e4121114f6bce2457e8876010b092dd/certifi-2026.2.25.tar.gz", hash = "sha256:e887ab5cee78ea814d3472169153c2d12cd43b14bd03329a39a9c6e2e80bfba7", size = 155029, upload-time = "2026-02-25T02:54:17.342Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/9a/3c/c17fb3ca2d9c3acff52e30b309f538586f9f5b9c9cf454f3845fc9af4881/certifi-2026.2.25-py3-none-any.whl", hash = "sha256:027692e4402ad994f1c42e52a4997a9763c646b73e4096e4d5d6db8af1d6f0fa", size = 153684, upload-time = "2026-02-25T02:54:15.766Z" },
+]
+
+[[package]]
+name = "click"
+version = "8.3.1"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "colorama", marker = "sys_platform == 'win32'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/3d/fa/656b739db8587d7b5dfa22e22ed02566950fbfbcdc20311993483657a5c0/click-8.3.1.tar.gz", hash = "sha256:12ff4785d337a1bb490bb7e9c2b1ee5da3112e94a8622f26a6c77f5d2fc6842a", size = 295065, upload-time = "2025-11-15T20:45:42.706Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/98/78/01c019cdb5d6498122777c1a43056ebb3ebfeef2076d9d026bfe15583b2b/click-8.3.1-py3-none-any.whl", hash = "sha256:981153a64e25f12d547d3426c367a4857371575ee7ad18df2a6183ab0545b2a6", size = 108274, upload-time = "2025-11-15T20:45:41.139Z" },
+]
+
+[[package]]
+name = "colorama"
+version = "0.4.6"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44", size = 27697, upload-time = "2022-10-25T02:36:22.414Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" },
+]
+
+[[package]]
+name = "exceptiongroup"
+version = "1.3.1"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "typing-extensions", marker = "python_full_version < '3.13'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/50/79/66800aadf48771f6b62f7eb014e352e5d06856655206165d775e675a02c9/exceptiongroup-1.3.1.tar.gz", hash = "sha256:8b412432c6055b0b7d14c310000ae93352ed6754f70fa8f7c34141f91c4e3219", size = 30371, upload-time = "2025-11-21T23:01:54.787Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/8a/0e/97c33bf5009bdbac74fd2beace167cab3f978feb69cc36f1ef79360d6c4e/exceptiongroup-1.3.1-py3-none-any.whl", hash = "sha256:a7a39a3bd276781e98394987d3a5701d0c4edffb633bb7a5144577f82c773598", size = 16740, upload-time = "2025-11-21T23:01:53.443Z" },
+]
+
+[[package]]
+name = "h11"
+version = "0.16.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/01/ee/02a2c011bdab74c6fb3c75474d40b3052059d95df7e73351460c8588d963/h11-0.16.0.tar.gz", hash = "sha256:4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1", size = 101250, upload-time = "2025-04-24T03:35:25.427Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/04/4b/29cac41a4d98d144bf5f6d33995617b185d14b22401f75ca86f384e87ff1/h11-0.16.0-py3-none-any.whl", hash = "sha256:63cf8bbe7522de3bf65932fda1d9c2772064ffb3dae62d55932da54b31cb6c86", size = 37515, upload-time = "2025-04-24T03:35:24.344Z" },
+]
+
+[[package]]
+name = "httpcore"
+version = "1.0.9"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "certifi" },
+    { name = "h11" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/06/94/82699a10bca87a5556c9c59b5963f2d039dbd239f25bc2a63907a05a14cb/httpcore-1.0.9.tar.gz", hash = "sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8", size = 85484, upload-time = "2025-04-24T22:06:22.219Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/7e/f5/f66802a942d491edb555dd61e3a9961140fd64c90bce1eafd741609d334d/httpcore-1.0.9-py3-none-any.whl", hash = "sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55", size = 78784, upload-time = "2025-04-24T22:06:20.566Z" },
+]
+
+[[package]]
+name = "httpx"
+version = "0.28.1"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "anyio" },
+    { name = "certifi" },
+    { name = "httpcore" },
+    { name = "idna" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/b1/df/48c586a5fe32a0f01324ee087459e112ebb7224f646c0b5023f5e79e9956/httpx-0.28.1.tar.gz", hash = "sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc", size = 141406, upload-time = "2024-12-06T15:37:23.222Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/2a/39/e50c7c3a983047577ee07d2a9e53faf5a69493943ec3f6a384bdc792deb2/httpx-0.28.1-py3-none-any.whl", hash = "sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad", size = 73517, upload-time = "2024-12-06T15:37:21.509Z" },
+]
+
+[[package]]
+name = "idna"
+version = "3.11"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/6f/6d/0703ccc57f3a7233505399edb88de3cbd678da106337b9fcde432b65ed60/idna-3.11.tar.gz", hash = "sha256:795dafcc9c04ed0c1fb032c2aa73654d8e8c5023a7df64a53f39190ada629902", size = 194582, upload-time = "2025-10-12T14:55:20.501Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/0e/61/66938bbb5fc52dbdf84594873d5b51fb1f7c7794e9c0f5bd885f30bc507b/idna-3.11-py3-none-any.whl", hash = "sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea", size = 71008, upload-time = "2025-10-12T14:55:18.883Z" },
+]
+
+[[package]]
+name = "pin-versions"
+source = { editable = "." }
+dependencies = [
+    { name = "click" },
+    { name = "httpx" },
+    { name = "tomlkit" },
+]
+
+[package.metadata]
+requires-dist = [
+    { name = "click" },
+    { name = "httpx" },
+    { name = "tomlkit" },
+]
+
+[[package]]
+name = "tomlkit"
+version = "0.14.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/c3/af/14b24e41977adb296d6bd1fb59402cf7d60ce364f90c890bd2ec65c43b5a/tomlkit-0.14.0.tar.gz", hash = "sha256:cf00efca415dbd57575befb1f6634c4f42d2d87dbba376128adb42c121b87064", size = 187167, upload-time = "2026-01-13T01:14:53.304Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/b5/11/87d6d29fb5d237229d67973a6c9e06e048f01cf4994dee194ab0ea841814/tomlkit-0.14.0-py3-none-any.whl", hash = "sha256:592064ed85b40fa213469f81ac584f67a4f2992509a7c3ea2d632208623a3680", size = 39310, upload-time = "2026-01-13T01:14:51.965Z" },
+]
+
+[[package]]
+name = "typing-extensions"
+version = "4.15.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/72/94/1a15dd82efb362ac84269196e94cf00f187f7ed21c242792a923cdb1c61f/typing_extensions-4.15.0.tar.gz", hash = "sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466", size = 109391, upload-time = "2025-08-25T13:49:26.313Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/18/67/36e9267722cc04a6b9f15c7f3441c2363321a3ea07da7ae0c0707beb2a9c/typing_extensions-4.15.0-py3-none-any.whl", hash = "sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548", size = 44614, upload-time = "2025-08-25T13:49:24.86Z" },
+]